CN117692263A

CN117692263A - Starting method of operating system, intelligent network card, gateway equipment and storage medium

Info

Publication number: CN117692263A
Application number: CN202311689109.6A
Authority: CN
Inventors: 朱敏; 朱世行
Original assignee: Wuxi Muchuang Integrated Circuit Design Co ltd
Current assignee: Wuxi Muchuang Integrated Circuit Design Co ltd
Priority date: 2023-12-08
Filing date: 2023-12-08
Publication date: 2024-03-12

Abstract

The invention provides a starting method of an operating system, an intelligent network card, gateway equipment and a storage medium, which can be applied to the technical field of network equipment. The method comprises the following steps: in response to the received specified message, encrypting or decrypting the specified message to obtain a processed message; under the condition of encryption processing, adding a message header to the processed message to obtain a message to be sent, wherein the message header comprises an IP address of a second electronic equipment end for receiving the message to be sent; sending a message to be sent to an IP address of a second electronic equipment end, so that the first electronic equipment end starts an operating system based on the message to be sent; under the condition of decryption processing, the processed message is sent to the first electronic equipment end, so that the first electronic equipment end starts an operating system by adopting the processed message, and the hardware cost can be reduced.

Description

Starting method of operating system, intelligent network card, gateway equipment and storage medium

Technical Field

The present invention relates to the field of network devices, and in particular, to a method for starting an operating system, an intelligent network card, a gateway device, and a storage medium.

Background

The pre-boot execution environment (Preboot eXecution Environment, PXE), also known as a pre-execution environment, provides a mechanism for booting a computer using a network interface. This mechanism allows the computer to boot independently of the local data storage device (e.g., hard disk) or the locally installed operating system. With the continuous development of network applications, PXE is also increasingly used.

However, the related PXE interaction flow is prone to problems such as message theft, and security is poor.

Disclosure of Invention

In view of the above problems, the present invention provides a method for starting an operating system, an intelligent network card, a gateway device and a storage medium.

According to a first aspect of the present invention, there is provided a method for starting an operating system, applied to an intelligent network card, where the intelligent network card is disposed in a gateway device, and the operating system is installed on a first electronic device side, the method comprising:

encrypting or decrypting the appointed message in response to the received appointed message to obtain a processed message, wherein the appointed message is a message required by a pre-starting execution environment for starting an operating system;

under the condition of encryption processing, adding a message header to the processed message to obtain a message to be sent, wherein the message header comprises an IP address of a second electronic equipment end for receiving the message to be sent; the message to be sent is sent to the IP address of the second electronic equipment end, so that the first electronic equipment end starts the operating system based on the message to be sent;

And under the condition of decryption processing, sending the processed message to the first electronic equipment end so that the first electronic equipment end can start the operating system by adopting the processed message.

In some embodiments, the messages required to boot the pre-boot execution environment of the operating system execute the DHCP protocol or TFTP protocol.

In some embodiments, the header of the processed message includes an IP header, and adding the header to the processed message includes:

copying an IP header of the specified message, wherein the IP header of the specified message comprises a first part, a second part and a third part, the first part is a source IP address, the second part is a destination IP address, and the third part is a part except the source IP address and the destination IP address;

the first part is replaced by the IP address of the gateway equipment, the second part is replaced by the IP address of the receiving end, the replaced IP head is obtained, the receiving end is the second electronic equipment end under the condition of encryption processing, and the receiving end is the first electronic equipment end under the condition of decryption processing;

and taking the replaced IP header as the IP header of the message header of the processed message.

In some embodiments, the header of the message to be sent includes a UDP header, and adding the header to the processed message to obtain the message to be sent includes:

copying the UDP header of the specified message, wherein the UDP header of the specified message comprises a first part, a second part and a third part, the first part is a source port number, the second part is a destination port number, and the third part is a part except the source port number and the destination port number;

replacing the first part with the port number of the gateway device, and replacing the second part with the port number of a receiving end to obtain a replaced UDP header, wherein the receiving end is the second electronic device end under the condition of encryption processing, and the receiving end is the first electronic device end under the condition of decryption processing;

and taking the replaced UDP header as the UDP header of the message header of the processed message.

In some embodiments, a storage space is provided in the intelligent network card, and the storage space stores an address mapping table, where the address mapping table indicates a mapping relationship between the destination IP address and the IP address of the receiving end;

The replacing the second portion with the IP address of the receiving end includes:

and replacing the destination IP address with the IP address of the mapped receiving end according to the address mapping table in the storage space.

In some embodiments, the method further comprises:

and under the condition that the destination IP address of the designated message is the IP address of the gateway equipment, using the mirror image of the gateway equipment, enabling the gateway equipment to serve as the second electronic equipment side to execute the starting method of the operating system in the first aspect.

The second aspect of the present invention provides an intelligent network card, where the intelligent network card is disposed in a gateway device, and a local area network corresponding to the gateway device includes a first electronic device end, where an operating system is installed on the first electronic device end, and the intelligent network card includes:

the encryption and decryption module is used for responding to the received appointed message, carrying out encryption or decryption on the appointed message to obtain a processed message, wherein the appointed message is a message required by a pre-start execution environment for starting an operating system;

the message reconstruction module is used for adding a message header to the processed message to obtain a message to be sent under the condition of encryption processing, wherein the message header comprises an IP address of a second electronic equipment end used for receiving the message to be sent; the message to be sent is sent to the IP address of the second electronic equipment end, so that the first electronic equipment end starts the operating system based on the processed message;

And the message sending module is used for sending the processed message to the first electronic equipment end under the condition of decryption processing, so that the first electronic equipment end starts the operating system by adopting the processed message.

The third aspect of the present invention provides an intelligent network card, where the intelligent network card is disposed in a gateway device, and a local area network corresponding to the gateway device includes a first electronic device end, where an operating system is installed on the first electronic device end, and the intelligent network card includes:

one or more processors; and

storage means for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of the first aspect.

A fourth aspect of the invention provides a gateway device provided with an intelligent network card as described in the third aspect.

The fifth aspect of the present invention also provides a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the above method.

According to the starting method of the operating system, the intelligent network card, the gateway equipment and the storage medium provided by the invention, on one hand, the hardware cost of the intelligent network card is saved: in the whole communication system, no matter how many clients are in the same local area network, only 1 independent intelligent network card is required to be installed on a gateway of the corresponding local area network; on the other hand, the modification to the original network system is less: the original local area network structure does not need to be modified, and only one intelligent network card is needed to be introduced, so that not only is the hardware modified less, but also the software modified less; yet another aspect may improve transmission efficiency: for some common data packets, the gateway equipment provided with the intelligent network card can complete the real-time mirror image of the software environment of the server, so that the communication efficiency of the client and the server is improved.

Drawings

The foregoing and other objects, features and advantages of the invention will be apparent from the following description of embodiments of the invention with reference to the accompanying drawings, in which:

FIG. 1 schematically illustrates a PXE environment network topology;

FIG. 2 schematically illustrates an interaction diagram of a client and a server in a PXE flow;

fig. 3 schematically illustrates a block diagram of a PXE communication system in the related art;

fig. 4 schematically illustrates a block diagram of a PXE communication system to which a method of starting an operating system is applied, according to an embodiment of the present invention;

FIG. 5 schematically illustrates a flowchart of a method of booting an operating system in accordance with an embodiment of the present invention;

FIG. 6 schematically illustrates a message entering a public network from a local area network through a gateway device equipped with an intelligent network card according to an embodiment of the present invention;

FIG. 7 schematically illustrates a message entering a gateway device for installing an intelligent network card from a public network according to an embodiment of the present invention;

FIG. 8 schematically illustrates another message entering a public network from a local area network through a gateway device equipped with an intelligent network card, according to an embodiment of the present invention;

FIG. 9 schematically illustrates another message entering a gateway device installing an intelligent network card from a public network in accordance with an embodiment of the present invention;

FIG. 10 schematically illustrates a schematic diagram of a software environment of a gateway device installing a smart network card according to an embodiment of the present invention;

FIG. 11 schematically illustrates a block diagram of a smart network card according to an embodiment of the present invention;

FIG. 12 schematically illustrates a block diagram of an intelligent network card for a method of booting an operating system in accordance with an embodiment of the present invention;

FIG. 13 schematically illustrates a network topology of an intelligent network card driver management server according to an embodiment of the present invention;

FIG. 14 schematically illustrates a directory structure diagram of an intelligent network card driver management server according to an embodiment of the present invention;

fig. 15 schematically illustrates a flow chart of the execution of the intelligent network card driver maintenance software according to an embodiment of the present invention.

Detailed Description

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the invention, the related processes of collecting, storing, using, processing, transmitting, providing, inventing, applying and the like of the personal information of the user all accord with the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated.

The following first explains the technical terms related to the present invention:

PXE: the pre-boot execution environment (Preboot eXecution Environment, PXE), also referred to as a pre-execution environment, provides a mechanism for booting a computer using a network interface (Network Interface).

DHCP: the dynamic host configuration protocol (Dynamic Host Configuration Protocol, DHCP) is a standard protocol defined by RFC 1541 (which has been superseded by RFC 2131) that allows a server to dynamically allocate IP addresses and configuration information to clients.

TFTP: the simple file transfer protocol (Trivial File Transfer Protoco, TFTP) is a protocol in the TCP/IP protocol family for simple file transfer between a client and a server, providing a less complex, less costly file transfer service.

NBP: network boot programs (Network Bootstrap Program, NBP), the first link in the boot chain process, typically request a small set of supplemental files via TFTP to run a very simple operating system executor (e.g., windows PE or basic Linux kernel + initrd). The most common NBP: iPXE, PXELINUX. The small operating system executor loads its own network driver and TCP/IP stack, and then completes installing the operating system. At this point, the remaining files needed to boot or install the complete operating system are typically not provided by TFTP, but rather are provided using a reliable transport protocol (such as HTTP, CIFS, or NFS).

HMAC: key dependent Hash message authentication code (Hash-based Message Authentication Code, HMAC) is a method of message authentication based on Hash function and key proposed by H.Krawezyk, M.Bellare, R.Canetti in 1996 and published in 1997 as RFC2104 and widely used in IPSec and other network protocols (such as SSL), now becoming a de facto Internet security standard. It can be used in bundle with any iterative hash function.

Five-tuple: the (five-layer/5-layer) is five basic attributes of a network packet, including a source IP address (source IP), a destination IP address (destination IP), a source port number (source port), a destination port number (destination IP), and a transport protocol (also called layer 4 protocol). In network communications, each data packet contains these five attributes, which together constitute a unique identification of the data packet. These five attributes include:

source IP address: the IP address of the computer sending the data packet is used for identifying the source of the data packet;

destination IP address: an IP address of a computer receiving the data packet for determining a destination of the data packet;

source port number: a port number used by a computer transmitting the data packet for identifying an application from which the data packet is transmitted;

Destination port number: a port number used by a computer receiving the data packet for identifying to which application the data packet should be delivered for processing;

transmission protocol: refers to a protocol used when sending data packets, such as TCP, UDP, etc.

One common general PXE is shown in fig. 1 using topology and environment.

The server side: and the server end runs a software environment related to the PXE server on an Operation System (OS) of the server host, wherein the software environment comprises necessary network protocols required by the Operation of the PXE server, such as a DHCP server protocol and a TFTP server protocol shown in figure 1. For the hardware environment of the server host, an associated network control interface (Network Interface Controller, NIC) network card is required.

Client side: and the client is also provided with a NIC network card. The software environment related to the PXE client runs, including the necessary network protocols required by the PXE server, such as the DHCP client protocol and the TFTP client protocol which are given in the figure.

In actual use, the client terminal can conveniently operate and control the server terminal through the PXE network protocol and the interface.

In the PXE environment of the related art, both the host on the server side and the host on the client side need to install NIC network cards, but they are different from each other as follows: the NIC network card of the client is driven by PXE in the basic input and output system; the NIC network card of the server is driven by a kernel driver in an OS operating system.

As shown in fig. 2, it can be seen that the interaction between the client end and the server end in the PXE flow requires multiple times of communication and transmission of data packets.

The related art PXE interaction flow has a certain security problem in the stages of requesting allocation of internet protocol addresses, network bootstrap file and configuration file download, system bootstrap file download, etc. because the DHCP and TFTP protocols used in the interaction are both clear text transmissions.

Based on the above problems in the related art, as shown in fig. 3, an intelligent network card may be installed in the electronic device where each client is located, and the intelligent network card encrypts and decrypts a message required for starting the pre-starting execution environment of the operating system and then sends the encrypted and decrypted message to the server, so as to ensure the security of message transmission in the starting process. However, the following problems may exist with this approach:

1. affecting communication performance: the data packet in the whole communication process is required to be encrypted, so that the encryption pressure of a customer service end is certainly increased, and the performance of the whole communication system is affected;

2. increasing hardware cost: after the message is encrypted by adopting the intelligent network card, the encryption performance can be improved relative to a transmitted software encryption scheme, but the hardware cost of installing the intelligent network card on the electronic equipment terminal where each client is positioned can be increased;

3. Increasing the risk and cost of network modification: whether software or hardware encryption communication is adopted, the method involves the transformation of software BIOS environment and network card hardware of the electronic equipment side where each client side in the local area network is located. This would undoubtedly increase the risk and cost of network modification.

Based on the existing problems, the embodiment of the invention provides a starting method of an operating system, an intelligent network card, gateway equipment and a storage medium.

Fig. 4 schematically illustrates an architecture diagram of a PXE communication system to which a startup method of an operating system is applied, according to an embodiment of the present invention.

As shown in fig. 4, when a secure lan is formed by the electronic device end where a plurality of clients applying PXE are located, an electronic device with an intelligent network card is used as a gateway device, and encryption and decryption processing of a message in the whole PXE communication is completed only by using the gateway device.

Compared with a 1 client vs.1 server or a mode of an N client vs.1 server in the related art shown in fig. 3, the communication system provided by the embodiment of the present invention can achieve one of the following effects:

1. the hardware cost of the intelligent network card is saved: in the whole communication system, no matter how many clients are in the same local area network, only 1 independent intelligent network card is required to be installed on the gateway of the corresponding local area network.

2. The modification to the original network system is less: the original local area network structure does not need to be modified, and only one intelligent network card is needed to be introduced, so that not only is the hardware modified less, but also the software modified less;

3. the transmission efficiency can be improved: for some common data packets, the gateway equipment provided with the intelligent network card can complete the real-time mirror image of the software environment of the server, so that the communication efficiency of the client and the server is improved.

FIG. 5 schematically illustrates a flowchart of a method of booting an operating system according to an embodiment of the invention.

As shown in fig. 5, the method for starting the operating system in this embodiment includes operations S510 to S530, where the method is applied to an intelligent network card, the intelligent network card is disposed in a gateway device, and the operating system is installed on a first electronic device side.

In operation S510, in response to the received specified message, the specified message is encrypted or decrypted to obtain a processed message, where the specified message is a message required for starting the pre-boot execution environment of the operating system.

In operation S520, under the condition of performing encryption processing, adding a header to the processed message to obtain a message to be sent, where the header includes an IP address of a second electronic device side that is used to receive the message to be sent; and sending the message to be sent to the IP address of the second electronic equipment end so that the first electronic equipment end starts the operating system based on the processed message.

In operation S530, in the case of performing the decryption process, the processed message is sent to the first electronic device side, so that the first electronic device side starts the operating system using the processed message.

In some embodiments, the messages required to boot the pre-boot execution environment of the operating system execute the DHCP protocol or TFTP protocol. That is, the intelligent network card provided by the embodiment of the invention encrypts or decrypts the DHCP message executing the DHCP protocol and the TFTP message executing the TFTP protocol.

Fig. 6 schematically illustrates a message entering a public network from a local area network through a gateway device equipped with an intelligent network card according to an embodiment of the present invention.

As shown in fig. 6, for a received message, an intelligent network card in the gateway device filters according to a five-tuple of the message to obtain a specified message (DHCP message or TFTP message), where the specified message includes an IP header, a UDP header, and a payload portion, and then the intelligent network card encrypts the specified message and adds the message header.

In one possible implementation manner, after the encryption processing, the operation S120 is executed, and a header is added to the processed message to obtain a message to be sent, where the header includes an IP address of a second electronic device side that is used to receive the message to be sent, and the message to be sent is sent to the IP address of the second electronic device side, so that the first electronic device side starts an operating system based on the processed message.

In one possible implementation manner, as shown in fig. 6, before the encryption processing, the above operation S120 is performed, a header is added to the processed message to obtain a message to be sent, where the header includes an IP address of a second electronic device side that is used to receive the message to be sent, and the message to be sent is sent to the IP address of the second electronic device side, so that the first electronic device side starts an operating system based on the processed message.

In some embodiments, the header of the processed message includes an IP header, and adding the header to the processed message in operation S120 includes: copying an IP header (IP-HDR in FIG. 6) of the specified message, wherein the IP header of the specified message comprises a first part, a second part and a third part, the first part is a source IP address, the second part is a destination IP address, and the third part is a part except the source IP address and the destination IP address; replacing the first part with the IP address of the gateway equipment, and replacing the second part with the IP address of the receiving end to obtain a replaced IP head, wherein the receiving end is the second electronic equipment end under the condition of encryption processing, and the receiving end is the first electronic equipment end under the condition of decryption processing; the replaced IP header is used as the IP header of the processed message, i.e., the N-IP-HDR in fig. 6. The new IP head can ensure that the message can realize point-to-point transmission on the public network, thereby enabling the message to be smoothly sent to the server.

In an example, in a case that a gateway device provided with an intelligent network card sends a message to a public network, that is, in a case that the intelligent network card performs encryption processing, a client in a local area network sends a specified message, the intelligent network card copies an IP header of the specified message, and the IP header of the specified message includes a source IP address (client IP address), a destination IP address (IP address of the gateway device), and the rest; the source IP address is replaced by the IP address of the gateway equipment, and the destination IP address is replaced by the IP address of the server side.

In some embodiments, the header of the message to be sent includes a UDP header, and adding the header to the processed message in operation S120 includes: copying the UDP header of the designated message (UDP-HDR in figure 6), wherein the UDP header of the designated message comprises a first part, a second part and a third part, the first part is a source port number, the second part is a destination port number, and the third part is a part except the source port number and the destination port number; replacing the first part with the port number of the gateway equipment, and replacing the second part with the port number of the receiving end to obtain a replaced UDP header, wherein the receiving end is a second electronic equipment end under the condition of encryption processing, and the receiving end is a first electronic equipment end under the condition of decryption processing; the replaced UDP header is used as the UDP header of the processed message, i.e., the N-UDP-HDR in fig. 6. The new UDP header may guarantee that the message is transported end-to-end between the device ends.

In an example, in a case that a gateway device provided with an intelligent network card sends a message to a public network, that is, in a case that the intelligent network card performs encryption processing, a client in a local area network sends a specified message, the intelligent network card copies a UDP header of the specified message, and an IP header of the specified message includes a source port number (a port number used by the client), a destination port number (a port number used by the server), and the rest; the source port number is replaced by the port number of the gateway device, and the destination port number is replaced by the port number of the service end.

In an alternative embodiment, the length field update and cheksum field update may be performed adaptively on the IP header and the UDP header in the added header.

Fig. 7 schematically illustrates a message entering a gateway device for installing an intelligent network card from a public network according to an embodiment of the present invention.

As shown in fig. 7, the messages entering the gateway device installed with the intelligent network card from the public network may be encrypted messages, so that the gateway device may process the messages in reverse. Specifically, the gateway device performs five-tuple matching filtering on the received message; using the matching to obtain a key of the HMAC-2, and verifying the HMAC-2 of the whole packet; using the matching to obtain a key of the HMAC-1, and verifying the HMAC-1 of the inner package; if all the verification is successful (the data packet is discarded if not successful), continuing to carry out decryption operation on the inner layer IP header, the UDP header and the UDP Payload; if the decryption is successful (the data packet is discarded if the decryption is unsuccessful), the redundant fields are continuously deleted; and obtaining an original message for subsequent processing.

In some embodiments, a storage space KRAM is provided in the intelligent network card, where the storage space stores an address mapping table, and the address mapping table indicates a mapping relationship between the destination IP address and the IP address of the receiving end. Therefore, when the second part of the header is replaced with the IP address of the receiving end, the destination IP address is replaced with the mapped IP address of the receiving end according to the address mapping table in the memory space KRAM. The embodiment converts a large amount of intranet IP addresses into one or a small amount of public network IP addresses, and reduces occupation of the public network IP addresses.

It can be understood that the address mapping table is used for enabling the message to enter the public network from the local area network through the gateway device provided with the intelligent network card, and is also used for enabling the message to enter the gateway device provided with the intelligent network card from the public network.

Fig. 8 schematically illustrates another message entering the public network from the local area network through the gateway device equipped with the intelligent network card according to an embodiment of the present invention.

Taking the designated message as a DHCP message as an example, the port number used by the server is 67, the port number used by the client is 68, and the partial address mapping table:

<192.168.32.149:67>, instead of <220.181.38.149:67>;

<192.168.32.145:67>, instead of <220.181.38.145:67>;

<192.168.32.140:67>, instead of <220.181.38.140:67>.

Taking the assignment message as a TFTP message as an example, the port number is 69, and the partial address mapping table:

<192.168.32.149:69>, then replace, <220.181.38.149:69>;

<192.168.32.145:69>, then replace, <220.181.38.145:69>;

<192.168.32.140:69>, then replace, <220.181.38.140:69>.

Fig. 9 schematically illustrates another message entering a gateway device for installing an intelligent network card from a public network according to an embodiment of the present invention.

<220.181.38.149:68>, then replace, <192.168.32.149:68>;

<220.181.38.145:68>, then replace, <192.168.32.145:68>;

<220.181.38.140:68>, then replace, <192.168.32.140:68>.

<220.181.38.149:69>, then replace, <192.168.32.149:69>;

<220.181.38.145:69>, then replace, <192.168.32.145:69>;

<220.181.38.140:69>, then replace, <192.168.32.140:69>.

Optionally, the storage space KRAM may be used to store configuration information related to a key, a parameter, a policy, etc. (e.g., quintuple filtering the data, filtering to obtain information such as a key, etc.). When the intelligent network card driver is loaded, the relevant configuration information is written into the KRAM storage area of the intelligent network card. And the intelligent network card driver and firmware are convenient to use.

Fig. 10 schematically shows a schematic diagram of a software environment of a gateway device installing a smart network card according to an embodiment of the present invention.

In some embodiments, when the destination IP address of the specified packet is the IP address of the gateway device, the gateway device is made to perform the above-mentioned method for starting the operating system as the second electronic device by using the mirror image of the gateway device. Specifically, the mirror image use includes forced use of the mirror image from an intranet to an external server, forced use of the mirror image from a public network to a local area network, or bidirectional access of the mirror image.

It can be appreciated that, the gateway device of the PXE acts as a mirror server of the PXE, and the gateway device needs the following software and hardware environments:

1. operating system of gateway device (dynamic software environment): may be a conventional Server system such as Linux, windows Server. Related network tools and remote services are mainly required, and the system can stably operate without power failure for a long time. Less requirements are placed on the desktop GUI program;

Pxe software environment (dynamic software environment): on the operating system of the gateway host, a software environment related to the PXE server is operated, wherein the software environment comprises necessary network protocols required by the operation of the PXE server, such as a DHCP server protocol and a TFTP server protocol which are given in the above diagram;

3. related files (static software environment): on the gateway host, the following files are also required to be stored, so that the client can download conveniently:

(1) A network bootstrap file and related configuration files;

(2) System boot files (system boot files, which contain the minimum kernel of the system and the initializer files vmlinuz and initrd. Img);

(3) Hardware environment: an associated network card hardware network card is required. The invention adopts the intelligent network card as shown above.

The dynamic software environment and the hardware environment of the gateway are relatively stable, so that the integrity and the safety of functions are ensured, and the gateway is relatively updated less. And related files needed by the static software environment need to be updated in an irregular mode from a PXE server of the public network, so that the gateway can be kept to have the latest PXE running program.

The gateway equipment is ensured to operate as a mirror server, the common purpose of the mirror server can be achieved by deploying the mirror server, the reliability of data can be improved on one hand, the data can be ensured to be always available when the public network main server breaks down, and on the other hand, the availability of the data can be improved, and the data can be ensured to be still available when the public network main server leaves. In addition, the invention uses the mirror image server, while guaranteeing the security, can also improve the access efficiency of the data, the intranet machine accesses the gateway equipment, does not need to encrypt, can realize higher access efficiency, and encrypt in the course of mirror image can guarantee the security of the mirror image server, encrypt here different from common software encrypt, but use the intelligent network card to realize the hardware encrypt, thus achieve the effects of fully utilizing the hardware resources, and improving the encryption efficiency.

If the PXE server is invaded by a hacker, the gateway device can be configured by the built-in intelligent network card in time, and the configuration access designates that the invaded PXE server is redirected to the mirror service of the local gateway device, or directly turns off the access to the PXE server, thereby strengthening the security control.

It will be appreciated that the IP address of the gateway device is often configured as 192.168.32.1. If the intelligent network card of the gateway device receives the message from the internal local area network, the destination IP address is 192.168.32.1, and the destination port number is 67 of DHCP or 69 of TFTP. The mirror image service of the gateway is directly used as a service end of the PXE to complete the communication of the local internal machine PXE.

It will be appreciated that in the case of specifying the IP address of the destination IP non-gateway device of the message, the gateway device may also receive a data packet other than this IP. At this point, this IP address is indicated as not being present in the local area network. These network IPs then directly employ the startup method of the operating system provided by the present invention to complete PXE communications.

It can be understood that if the IP address of the message received by the intelligent network card of the gateway device is the IP of the gateway device, and the port thereof is the port of the designated range. The intelligent network card will switch to the gateway's mirrored virtual machine IP + port (DHCP 67, tftp 69).

In an alternative embodiment, the degree of importance for security and stability may be reflected by updating the frequency of the image. Regarding the frequency and timing of the image update, the following may be employed:

after each start of the PXE gateway equipment, checking whether a corresponding PXE server related file at a lower remote end needs to be updated;

the PXE gateway equipment also needs to check whether the related files of the PXE server corresponding to the remote end need to be updated or not after receiving the public network PXE server sent to the remote end each time;

the PXE gateway equipment can also consider checking whether the related files of the PXE server corresponding to the remote end need to be updated or not each time the access to the local PXE server mirror image is received;

4. when the set time is up, checking whether the related files of all the remote PXE servers need to be updated;

5. when a file on a remote PXE server is updated, it can be checked whether the relevant file on the PXE client gateway needs to be updated.

The update time point can be configured to trigger or not trigger the action of updating the image file.

Based on the starting method of the operating system, the invention also provides an intelligent network card. The device will be described in detail below with reference to fig. 11.

Fig. 11 schematically shows a block diagram of a smart network card according to an embodiment of the invention.

As shown in fig. 11, the intelligent network card 1000 of this embodiment includes an encryption and decryption module 1010, a message reconstruction module 1020, and a message sending module 1030.

The encryption and decryption module 1010 is configured to encrypt or decrypt a received specified message in response to the received specified message, to obtain a processed message, where the specified message is a message required for starting a pre-boot execution environment of an operating system. In an embodiment, the encryption/decryption module 1010 may be used to perform the operation S110 described above, which is not described herein.

The message reconstruction module 1020 is configured to add a message header to the processed message to obtain a message to be sent, where the message header includes an IP address of a second electronic device side that is configured to receive the message to be sent, where the message header is used in performing encryption processing; and sending the message to be sent to the IP address of the second electronic equipment end so that the first electronic equipment end starts the operating system based on the processed message. In an embodiment, the message reconstruction module 1020 may be configured to perform the operation S120 described above, which is not described herein.

And the message sending module 1030 is configured to send the processed message to the first electronic device side under the condition of performing decryption processing, so that the first electronic device side starts the operating system by using the processed message. In an embodiment, the message sending module 1030 may be configured to perform the operation S130 described above, which is not described herein.

According to the embodiment of the invention, the message required by the pre-boot execution environment of the boot operating system executes the DHCP protocol or the TFTP protocol.

According to an embodiment of the present invention, the header of the processed message includes an IP header, and adding the header to the processed message includes:

replacing the first part with the IP address of the gateway equipment, and replacing the second part with the IP address of a receiving end to obtain a replaced IP head, wherein the receiving end is the second electronic equipment end under the condition of encryption processing, and the receiving end is the first electronic equipment end under the condition of decryption processing;

According to an embodiment of the present invention, the header of the message to be sent includes a UDP header, and adding the header to the processed message to obtain the message to be sent includes:

copying the UDP header of the appointed message, wherein the UDP header of the appointed message comprises a first part, a second part and a third part, the first part is a source port number, the second part is a destination port number, and the third part is a part except the source port number and the destination port number;

Replacing the first part with the port number of the gateway device, and replacing the second part with the port number of the receiving end to obtain a replaced UDP header, wherein the receiving end is the second electronic device end under the condition of encryption processing, and the receiving end is the first electronic device end under the condition of decryption processing;

According to the embodiment of the invention, a storage space is arranged in the intelligent network card, the storage space stores an address mapping table, and the address mapping table indicates the mapping relation between the destination IP address and the IP address of the receiving end;

According to an embodiment of the invention, the apparatus further comprises:

and the mirror image module is used for enabling the gateway equipment to serve as the second electronic equipment side to execute the starting method of the operating system at the same time by utilizing mirror image of the gateway equipment under the condition that the destination IP address of the designated message is the IP address of the gateway equipment.

Any of the encryption and decryption module 1010, the message reconstruction module 1020, and the message sending module 1030 may be combined into one module to be implemented, or any of the modules may be split into a plurality of modules according to an embodiment of the present invention. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. At least one of the encryption and decryption module 1010, the message reconstruction module 1020, and the message sending module 1030 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three implementations of software, hardware, and firmware, according to embodiments of the present invention. Alternatively, at least one of the encryption and decryption module 1010, the message reconstruction module 1020, and the message transmission module 1030 may be at least partially implemented as a computer program module, which may perform a corresponding function when executed.

Fig. 12 schematically illustrates a block diagram of an intelligent network card for a method of booting an operating system according to an embodiment of the invention.

As shown in fig. 12, the intelligent network card 600 according to the embodiment of the present invention includes a processor 601 which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. The processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 601 may also include on-board memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the invention.

In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other through a bus 604. The processor 601 performs various operations of the method flow according to an embodiment of the present invention by executing programs in the ROM 602 and/or the RAM 603. Note that the program may be stored in one or more memories other than the ROM 602 and the RAM 603. The processor 601 may also perform various operations of the method flow according to embodiments of the present invention by executing programs stored in the one or more memories.

According to an embodiment of the invention, the intelligent network card 600 may also include an input/output (I/O) interface 605, the input/output (I/O) interface 605 also being connected to the bus 604. The electronic device 600 may also include one or more of the following components connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.

The present invention also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present invention.

According to embodiments of the present invention, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the invention, the computer-readable storage medium may include ROM 602 and/or RAM 603 and/or one or more memories other than ROM 602 and RAM 603 described above.

The embodiment of the invention also comprises gateway equipment, and the gateway equipment is provided with an intelligent network card as shown in fig. 11.

Embodiments of the present invention also include a computer program product comprising a computer program containing program code for performing the method shown in the flowcharts. The program code means for causing a computer system to carry out the methods provided by embodiments of the present invention when the computer program product is run on the computer system.

The above-described functions defined in the system/apparatus of the embodiment of the present invention are performed when the computer program is executed by the processor 601. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the invention.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and/or installed from the removable medium 611. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. The above-described functions defined in the system of the embodiment of the present invention are performed when the computer program is executed by the processor 601. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the invention.

In order to more conveniently manage the intelligent network card environment of a plurality of gateways at the PXE server side. A set of intelligent network card driving remote maintenance software is also developed. The driving remote maintenance software has the following functions:

1. maintaining a driving program of the intelligent network card, and iterating the function repairing bug in time;

2. maintaining a firmware program of the intelligent network card: because the firmware of the intelligent network card is also copied and loaded into the hardware storage of the intelligent network card when the host system is restarted each time by the driver of the intelligent network card. Therefore, the intelligent network card driving program is updated, and the purpose of updating the intelligent network card firmware can be achieved;

3. maintaining configuration data of the intelligent network card: because the configuration data of the intelligent network card is also stored in the driving program and the firmware, when the driving program and the firmware program are loaded, the data are configured to the KRAM storage area of the intelligent network card for subsequent use of the program.

Fig. 13 schematically illustrates a network topology of an intelligent network card driver management server according to an embodiment of the present invention.

As shown in fig. 13, in order to better manage all the PXE gateways and the intelligent network card drivers of the server, an intelligent network card driver management server is introduced. The drive management server is logically independent of the other machines in the system, but in actual arrangement, the servers in the system may also be physically multiplexed. The specific network topology is shown in fig. 13 below. The driver management server must be guaranteed to be accessible to all PXE client gateway devices and PXE servers and to be able to perform bi-directional communications.

In addition, it should be noted that, the intelligent network card generally adopts public network IP, because the PXE client and the PXE server are not usually located in a local area network, otherwise, a gateway is not required to be separately set, and encrypted communication is not required. Also, both the PXE client gateway device and the PXE service port machines have public network IP.

Because the intelligent network card driver (including the driver itself, the firmware program, and the configuration file) on each PXE gateway or PXE server may be different, multiple directories need to be established on the intelligent network card driver management server, and each directory corresponds to a machine that needs to install the intelligent network card driver. The directory stores the latest version of the driver of the intelligent network card that the corresponding machine needs to install.

Without loss of generality, one can assume:

1. the gateway IP addresses of the clients are 221.181.38.140-221.181.38.142 respectively, and the like;

2. the IP addresses of the service end are 220.181.38.140-220.181.38.141 respectively, etc.

The directory structure of the intelligent network card driver management server is shown in fig. 14. Wherein:

"…" means that there are more similar hosts and corresponding directories;

2. The intelligent network card (ko) file represents a binary execution program of the latest version of intelligent network card drive, the binary execution program is downloaded to the local, and the installation can be completed by using rmmod command unloading and insmod command loading under the Linux environment;

and 3, version files which represent version numbers and version names of the stored intelligent network cards and are used for checking whether the intelligent network cards of the PXE client or the server host are the latest versions.

Every time the communication is performed, the PXE communication is possible through the public network, and the intelligent network card drivers at both ends of the PXE client and the server are up to date. Therefore, after the driver on the intelligent network card driver management server is updated each time, the PXE terminal installed with the intelligent network card updates the driver as soon as possible. The specific update strategy may vary, such as:

for higher security requirements, it is desirable that the intelligent network card driver always remain up-to-date. Each time the updating of the driver server is completed, the driver remote maintenance software is required to be executed simultaneously on each client provided with the intelligent network card;

for low security requirements, the following policies may be implemented: the intelligent network card driving program of the PXE server can be updated preferentially, so that the intelligent network card driving environment of the PXE server is ensured to be up to date; then, each time the PXE client gateway device performs the mirror image or the PXE remote communication, checking whether the version numbers of the client and the intelligent network card driver of the server are consistent, if not, updating the driver, and then performing the mirror image or the remote communication.

Specifically, "N10 remote maintenance software" is run. The software needs to do the following operations in sequence:

through SSL protocol, connecting remote PXE server (IP and port of the connecting server are fixed; inquiring the firmware version number of the intelligent network card of the server side, and determining whether a local intelligent network card driver needs to be updated or not; if the local version number of the drive is lower than the version number on the drive management server, downloading and updating the local intelligent network card drive program (the latest intelligent network card drive program can be obtained from storage equipment such as local hardware) and restarting the local host, and then loading the local updated intelligent network card drive program to display that the intelligent network card update drive is successful; if no update is needed (the local drive version number is not lower than the version number on the drive management server), then the direct display "the intelligent network card drive is already up to date and no update is needed".

Specifically, the intelligent network card driver maintenance software is started, and the process shown in fig. 15 is executed.

The encryption policy parameters for PXE may be determined by a client and a server dynamically negotiating. The encryption policy parameters specifically at least comprise the following contents: whether encrypted, encryption algorithm type, HMAC hash algorithm type, key length, other content.

The PXE encryption policies described above for use with PXE communications may be specified by a user or administrator. Specific specifying modes can be as follows:

1. when the PXE client is started, a related command is input through the PXE Shell, and whether encryption is performed or not is set;

2. at the PXE server end, a security policy is configured in advance according to the IP address of the client of the communication. Then, when the client of the PXE is started, whether encryption and decryption communication is needed or not is only required to be consistent with the strategy of the server. When the modification is needed, both ends are modified simultaneously. The client modifies the intelligent network card communication firmware, and the server modifies the security policy;

3. finally, as a means of heavyweight (more expensive but most flexible to update), the driver and firmware programs of the intelligent network card can be written for communication and encryption configuration parameters that are not changed frequently. Then, updating and managing the PXE encryption strategy is realized by updating the drive and firmware program of the intelligent network card. The method for updating the intelligent network card driver and the firmware specifically can be updated locally or can be realized by the intelligent network card driver remote maintenance software.

According to embodiments of the present invention, program code for carrying out computer programs provided by embodiments of the present invention may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or in assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the invention and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the invention. In particular, the features recited in the various embodiments of the invention and/or in the claims can be combined in various combinations and/or combinations without departing from the spirit and teachings of the invention. All such combinations and/or combinations fall within the scope of the invention.

The embodiments of the present invention are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the invention is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the invention, and such alternatives and modifications are intended to fall within the scope of the invention.

Claims

1. A method for starting an operating system, the method being applied to an intelligent network card, the intelligent network card being disposed in a gateway device, the operating system being installed on a first electronic device side, the method comprising:

2. The method for booting an operating system of claim 1 wherein the messages required to boot the pre-boot execution environment of the operating system execute a DHCP protocol or a TFTP protocol.

3. The method for starting an operating system according to claim 1, wherein the header of the processed message includes an IP header, and the adding the header to the processed message includes:

4. The method for starting an operating system according to claim 3, wherein the header of the message to be sent includes a UDP header, and adding the header to the processed message to obtain the message to be sent includes:

5. The method for starting an operating system according to claim 1, wherein a storage space is provided in the intelligent network card, the storage space stores an address mapping table, and the address mapping table indicates a mapping relationship between the destination IP address and the IP address of the receiving end;

6. The method of operating system startup according to claim 1, further comprising:

and under the condition that the destination IP address of the designated message is the IP address of the gateway equipment, using the mirror image of the gateway equipment, enabling the gateway equipment to simultaneously serve as the second electronic equipment end to execute the starting method of the operating system of any one of claims 1 to 5.

7. The utility model provides an intelligent network card, its characterized in that, intelligent network card sets up in gateway equipment, the LAN that gateway equipment corresponds includes first electronic equipment end, operating system is installed to first electronic equipment end, intelligent network card includes:

8. The utility model provides an intelligent network card, its characterized in that, intelligent network card sets up in gateway equipment, the LAN that gateway equipment corresponds includes first electronic equipment end, operating system is installed to first electronic equipment end, intelligent network card includes:

one or more processors; and

storage means for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.

9. A gateway device, characterized in that an intelligent network card as claimed in claim 8 is provided.

10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-6.